What You Didnt Know You Dont Know About Compliance Mar 29 07a
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,153
On Slideshare
1,151
From Embeds
2
Number of Embeds
2

Actions

Shares
Downloads
14
Comments
0
Likes
0

Embeds 2

http://elegantsolutions.ca 1
http://pinterest.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. What You Didn’t Know You Don’t Know About Compliance And What it Means to You as a Project Manager March 29, 2007 ProjectWorld Toronto Boyd Carter, PMP elegantsolutions.ca Please note that the content of this document is dated as at March 29, 2007. While the concept is valid, the regulations may have been amended since then. The content is best viewed in Slide Show format; the notes are useful.
  • 2. Agenda
    • Survey – Compliance Knowledge and Risk
    • What you know you don’t know about compliance
    • What you didn’t know you don’t know about compliance
    • What it means to you as a project manager
    • Resources for the Project Manager
      • Description of “must have” resource documents
      • Links to the best online resources
      • Link to a copy of the presentation
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 3. Survey – Compliance Knowledge and Risk
    • If you were being interviewed to lead a compliance project tomorrow, do you think you could demonstrate enough knowledge to be selected to lead the project?
      • Vote with a show of hands
    • Based on the answer you gave above, would the impact on your career be positive or negative?
      • Vote POSITIVE with a show of hands
    • Or Negative?
      • Vote NEGATIVE with a show of hands
    • Or not affect it at all?
      • Vote WOULDN’T AFFECT ME with a show of hands
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 4. What You Know You Don’t Know About Compliance
    • Most people know they don’t know:
    • Details of the legislation
    • About Assessments and Attestations
    • What CEO/CFO Certification means
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 5. What You Know You Don’t Know About Compliance (Cont.)
    • Details of the US Legislation
    • Sarbanes-Oxley Act of 2002 (Public Law 107-204---July 30, 2002, 107 th Congress of the United States of America)
      • Title I – Public Company Accounting Oversight Board (PCAOB)
        • Section 102 – Registration with the Board (to prepare and/or issue Audit Reports)
        • AS2 (Auditing Standard No. 2)
      • Title II – Auditor Independence
      • Title III – Corporate Responsibility
        • Section 302 – Corporate Responsibility for Financial Reports
      • Title IV – Enhanced Financial Disclosures
        • Section 404 – Management’s assertion of Internal Control over Financial Reporting (ICFR)
      • Titles V – XI
        • V – Analysts Conflicts of Interest
        • VI – Commission Resources and Authority
        • VIII – Corporate and Criminal Fraud Accountability
        • IX – White-collar Crime Penalty Enhancements
        • X – Corporate Tax Returns
        • XI – Corporate Fraud and Accountability
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 6. What You Know You Don’t Know About Compliance (Cont.)
    • Details of the Canadian Legislation
    • Bill 198 – An Act to implement budget measures and other initiatives of the Government, 3 rd Session, 37 th Legislature, Ontario, 2002 (and subsequent amendments)
      • Part XXVII – Amends the Ontario Securities Act
    • Ontario Securities Commission – A Self-funded Crown Corporation and the Regulator of Ontario’s Capital Markets: Charter of Corporate Governance ( The OSC administers the Securities Act Ontario and Commodity Futures Act , and is empowered to make legally binding rules. )
    • CSA – Canadian Securities Administrators is the council of Canada’s thirteen provincial and territorial securities regulatory authorities (SRAs).
      • NI 52-108 – Auditor Oversight
      • MI 52-109 – Certification of Disclosure…
      • MI 52-110 – Audit Committees
      • MI 52-111 – Reporting on Internal Control… (not implemented)
      • CSA Notice 52-313 – Status of MI 52-111 (Decision to not implement) and proposed to amend and restate MI 52-109
      • CSA Notice 52-317 – Amended the planned effective date of (now) NI 52-109 to be financial years ending on or after June 30, 2008
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 7. What You Know You Don’t Know About Compliance (Cont.)
    • What’s the Difference between (SOX) Sections 302 and 404
    • SEC. 302 . CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.
      • (a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act…
    • SEC. 404 . MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
      • (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report , which shall—
        • (1) state* the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting ; and
        • (2) contain an assessment , as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
      • (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 8. What You Know You Don’t Know About Compliance (Cont.)
    • What’s the Difference between Assessments, Assertions and Attestations
    • SEC. 404 . MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
      • (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report , which shall—
        • (1) state * the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting ; and
        • (2) contain an assessment , as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
      • (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to , and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
      • * This statement regarding assessment is often referred to as an Assertion
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 9.
    • What CEO/CFO Certification means
    • This is what CEO/CFO Certification means to one corporation
    • Key Requirements for a Compliance Framework (SOX 404 or NI 52-109)
    What You Know You Don’t Know About Compliance Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) Control Effectiveness Control Design
  • 10. What You Didn’t Know You Don’t Know About Compliance
    • Most people didn’t know they really don’t know what is required in order
    • to assert “Internal Control Over Financial Reporting (ICFR or ICOFR)
    • Frameworks
    • How to develop a Control Design
    • How to evaluate Control Effectiveness
    • How to provide evidence to support Assertions and Attestations
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 11. What You Didn’t Know You Don’t Know About Compliance - Frameworks Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) Internal Controls - Integrated Framework (Not ERM) Version 2.0 benefits from lessons learned during the first two years. Auditing Standard 2 (AS2) COBIT Control Objectives ITIL Activities ISO 17799 Security Sarbanes-Oxley Act of 2002 Bill 198
  • 12.
    • Conceptual Level
      • Framework Level
        • COSO (Sub-Components) Points of Focus - COBIT High-Level Control Objectives Level
          • COSO Bullets under Points of Focus – COBIT Detailed Control Objectives Level
    What You Didn’t Know You Don’t Know About Compliance - Frameworks Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) COBIT COSO COSO COMPONENT COBIT DOMAIN THE CORE FRAMEWORK Pre-populated, fully annotated COSO and COBIT Control Objectives in increasing levels of detail. > The company’s detailed processes for achieving the Control Objectives > Risk of Non-compliance N-C THE EXTENDED FRAMEWORK The Compliance Teams may populate the Processes, Risks, Controls and Tests at their preferred levels of granularity. Activity-level guidance is provided with exemplar sets of controls and tests. > Company Controls
    • Tests and subsequent Remediation
    • / Remediation Action Plans , if required
  • 13.
            • Certifications typically take place after remediation is completed, but remediation could be cut off at a point in time and status certified at that point in time. (“Certification” is certification of status at a point in time, not certification of compliance.)
    What You Didn’t Know You Don’t Know About Compliance - How to Develop a Control Design and Evaluate Control Effectiveness Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) If remediation is required, action plans are executed and the control re-tested. The current state of remediation (and future activity, if required) is documented at the time of certification. > Remediation > Remediation Action Plans Achieving Operational Effectiveness Documented at this level are the processes of the company Documented at this level are specific risks associated with the process Documented at this level are specific controls associated with the mitigation of risk > The company’s detailed processes for achieving the Control Objectives > Risk of Non-compliance N-C > Company Controls > Tests Documented at this level are specific tests associated with the control Control Design Control Effectiveness
  • 14.
    • “ THE” Best Practices Frameworks
    • COSO – The Committee Of Sponsoring Organizations of the Treadway Committee
    • COBIT – Control Objectives for Information and Related Technology, Version 4
    • “ THE” Best Practices Guidance
    • IT Control Objectives for Sarbanes-Oxley, Second Edition
    • and
    What You Didn’t Know You Don’t Know About Compliance - How to provide evidence to support Certifications and Attestations Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
    • “ THE” Best Practices Project Plan
    • The Compliance Road Map from IT Control Objectives for Sarbanes-Oxley, Second Edition
  • 15. What it Means to You as a Project Manager - How to provide evidence to support Certifications and Attestations Road Map Items 1 & 2 Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 16. What it Means to You as a Project Manager - How to provide evidence to support Certifications and Attestations Road Map Items 3 & 4 Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 17. What it Means to You as a Project Manager - How to provide evidence to support Certifications and Attestations Road Map Items 5 & 6 Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 18. What it Means to You as a Project Manager Lets repeat the survey you took at the beginning of this session
    • If you were being interviewed to lead a compliance project tomorrow, do you think you could demonstrate enough knowledge to be selected to lead the project?
      • Vote with a show of hands
    • Based on the answer you gave above, would the impact on your career be positive or negative?
      • Vote POSITIVE with a show of hands
    • Or Negative?
      • Vote NEGATIVE with a show of hands
    • Or not affect it at all?
      • Vote WOULDN’T AFFECT ME with a show of hands
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 19. Resources for the Project Manager
    • Description and links to “must have” resource documents (Remember, links are active only when the presentation is in “slide show mode”)
      • This Presentation: http://www.elegantsolutions.ca/Download.html
      • AICPA (for COSO) http://www.aicpa.org/index.htm
      • ISACA (for COBIT) http://www.isaca.org/
      • ITIL (IT Infrastructure Library) http://www.itil.co.uk/
      • ISO (International Organization for Standardization) http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html
      • SEC on SOX http://www.sec.gov/spotlight/sarbanes-oxley.htm
      • PCAOB Latest News http://www.pcaob.org/News_and_Events/Updates/index.aspx
      • OSC List of Regulations http://www.osc.gov.on.ca/Regulation/Rulemaking/Current/rrn_part5_index.jsp
      • The Canadian Securities Administrators http://www.csa-acvm.ca/home.html
      • Deloitte on CSA Notice 52-313 (on dropping 52-111): http://www.deloitte.com/dtt/article/0,1002,sid%253D3557%2526cid%253D115078,00.html
      • PWC’s CFOdirect Network http://www.cfodirect.pwc.com/CFODirectWeb/Controller.jpf?NavCode=MSRA-6NR6EK
      • (This screen is also a page on: http://www.elegantsolutions.ca/gpage.html )
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)
  • 20. Resources for the Project Manager Final thoughts for those attending today – buy these products for educational and project management purposes
    • COSO Small Public Companies Download
    • COSO Internal Controls – Integrated Frameworks download
    • COBIT4 Download and subscribe to COBIT Online
    • It Control Objectives for Sarbanes-Oxley, Version 2
    • Mapping Documents from ISACA – some require registering and/or membership (Example – COBIT4 to PMBOC)
    Copyright © 2006 elegantsolutions.ca www.elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca)